saslauthd cache / cyrus-imap and several passwords per login

Andrew Morgan morgan at orst.edu
Mon Jan 28 20:39:55 EST 2013 

On Mon, 28 Jan 2013, Patrick Boutilier wrote:

> On 01/27/2013 09:03 PM, Andrew Morgan wrote:
>> On Sat, 5 Jan 2013, Patrick Lamaiziere wrote:
>> 
>>> Helo,
>>> 
>>> We use cyrus-imapd on Centos 6 at work and I've got the following issue
>>> on authentication:
>>> 
>>> Users can login via a mailer (imap/pop) or use a webmail (horde). The
>>> webmail uses a SSO-CAS and horde uses a CAS token to log in
>>> cyrus-imap). As the CAS tokens are one-time tokens they must been
>>> cached by saslauthd.
>>> 
>>> For this we use PAM with saslauthd and 3 PAM modules. pam_cas checks if
>>> the password is a valid CAS token, then we try ldap and then a local
>>> account.
>>> 
>>> cyrus-imap -> saslauthd (cache) -> PAM (pam_cas, pam_ldap, pam_unix)
>>> 
>>> That works fine.
>>> 
>>> The problem is: when a user uses the webmail and uses also a mailer
>>> (using imap), saslauthd will remove the CAS token previously cached when
>>> the mailer connects. So the webmail is disconnected.
>>> 
>>> There is a patch to allow saslauthd to cache several passwords for one
>>> login but I would like to avoid this.
>>> 
>>> As far I can see, the cache depends on the service used (ie if I
>>> connect via pop, the imap password is not cleared from the
>>> saslauthd cache).
>>> 
>>> So I'm asking if there is a way to introduce another "service" on
>>> cyrus-imap that will be used by the webmail (on another port than 143).
>>> I mean a service in the saslauthd / PAM way (the parameter '-s' in
>>> testsaslauthd: imap, pop, sieve).
>>> 
>>> I don't know where to start. Is there a way to achieve this?
>>> Thanks, best regards.
>> 
>> Sorry I have taken so long to respond.  I saw this message a while ago but
>> I didn't have time to reply then.  It doesn't look like anyone else has
>> responded according to the list archives.
>> 
>> You can easily run multiple Cyrus imapd processes with different service
>> names.  In your cyrus.conf, make a copy of your "imap" service and name it
>> something like "imap_webmail", listening on a different port.  Then make a
>> /etc/pam.d/imap_webmail file with your desired PAM config.
>
>
> I just gave the above a try since I currently modify the source to force 
> which pam service the imapd binary calls but this entry still calls 
> /etc/pam.d/imap instead of /etc/pam.d/imaptest
>
>
> imaptest    cmd="imapd" listen="imaptest"
>
>
> imaptest is in /etc/services on port 146

Well shoot, it looks like the SASL service name is hard-coded in imapd.c:

     /* create the SASL connection */
     if (sasl_server_new("imap", config_servername,
                         NULL, NULL, NULL, NULL, 0,
                         &imapd_saslconn) != SASL_OK) {
         fatal("SASL failed initializing: sasl_server_new()", EC_TEMPFAIL);
     }


It would be nice if there was a way to override this somehow...  Perhaps 
file a bug on the bugzilla!

 	Andy

More information about the Info-cyrus mailing list